Sensationalism – doing more damage than good

It took me a while to really decide to pull the trigger on this post. For several reasons:

1. I think the way that @ZeroFOX handled this was impeccable. As far as “we” are concerned this issue was to bed once the instigator (@avriette) balked out on actually having a constructive discussion when invited to.

2. Deciding to pick this up the next day showed me that @avriette blocked me on twitter. That kind’a shows the level of maturity we are dealing with here. Burying your head in the sand and refusing to deal with your provocation is not something that I can respect.

Nevertheless, I did want to put my personal thoughts on this out there (specifically since I don’t think that ZeroFOX needs to handle this anymore, and since I have already voiced my thoughts about this before:

So here goes: During a presentation at Shmoocon, that discussed research conducted with John’s Hopkins University about a red team / blue team exercise over social media. As such, the students have learned about attack vectors that were effective, and have engaged in launching those against their fellow students in other universities. As the talk title implied, the obvious attack methods online were ones that appealed to the target demography: “Mascots, March Madness & #yogapants”. It should have been pretty obvious, that when discussing any attack vectors on social media (and social engineering), anything related to sex, sports, food, free/discounted stuff, will all show up with varying degrees of effectiveness.

powersAnd yes – Tinder showed up there as an effective method (yes, it’s a sex-as-a-service app) to target people. I can admit to using Tinder (and Grindr, and happn, and okcupid, and others) as highly effective means of social engineering my targets on red team engagements. I also admit that I have totally stereotyped my female targets and used discounts on Manolo Blahnik shoes, LV bags, and high-end wine. And it was very effective. I’ve used free hot cocoa offers in the winter, and beach getaways in the summer, and iTunes cards, and free food samples, and court side tickets for Knicks games (yes, people actually still go there), and a gazillion other “objectifying” methods of appealing to my targets. Because these things work. And as such, I have presented my experience and research about it, just like this one (and I have been passing along that knowledge very successfully on our Red Team Trainings in the past as well).

During the presentation, it was brought to my attention that someone is tweeting about how the talk is objectifying women and making women in the audience feel uncomfortable. Mike (@theprez98) posted a short blog about this here:

The funny thing is that while I was sitting at the talk, I had two women who I highly respect, tell me how they fail to see whether the content or presentation would make them feel uncomfortable, nor that it was objectifying women in any way. Anecdotally, one of these women also runs the @ZeroFOX account, which “Jane the destroyer” was tweeting to, probably thinking that a man was running it (can you say stereotyping?).

I can’t put myself in anyone else’ shoes, so there is no way for me to debate the “making me feel uncomfortable” claim. Should have been a trigger warning at the beginning of the talk? Probably not. Especially if you bothered to read the talk title, or the short abstract. But going out, and just for the sake of making a potential scene, and then to bail out when offered to discuss things in more details shows me the true nature of the instigation.

And that’s where it gets me – it’s doing more damage than good. Like I have said before – my personal experience in the industry is not of “holding back women”. It’s of a very equal approach that puts women and men in the same position: professional. Just like another person that I highly respect in the industry put it in the past: “Calling bullshit on women in infosec” (thanks again Jennifer), and then Amanda’s post about the BSidesLV “incident” – these instigators are just doing more damage.

Yes, just like in any large enough group of people, you’ll find the assholes who are sexist. You’ll also find bigots, racists, trolls, anti-social people, douchebags (bro’s), etc… You cannot expect that since this environment is “yours” (i.e. infosec), it would be devoid of your run-of-the-mill social miscreants. Just like you deal with it on your non-infosec life, deal with it here. I’m dealing with it because I’m bald, and Israeli, and am often associated with Jews (no – I don’t care for kosher food. I like GOOD food, which usually excludes kosher. Stop stereotyping!). And I’ve dealt with it when I saw other people out of line when it comes to my friends or the hacker family. Whether it was a cop picking on a black person, or a women being harassed at a bar or a conference (not that they need it – they stood up for themselves just fine…).

So here goes. You got your 15 minutes of fame, I hope you enjoy them. I wouldn’t want mine to be about stuff like this. I’d like it to be about things that I’m passionate about, and that can actually make a difference.

Like hacking.

Think about it.


Update: This pretty much puts it to bed.

Screen Shot 2015-01-23 at 11.08.21 AM

9 responses to “Sensationalism – doing more damage than good”

  1. Excuse me? This issue was put to bed once the woman who raised the issue declined to respond in exactly the manner _you_ believe she was required to?

    An invitation is not an obligation. Jane expressing her opinion does not obligate her to meet someone she doesn’t know in a crowded social setting and hash out something complex, nuanced, and personal. (I wouldn’t have gone for that either, and I’m anything but reticent.) Maybe she would have preferred a more private setting, or email rather than face-to-face… or maybe she didn’t want to engage any farther than she already had. I don’t know, and neither do you.

    Also, I wasn’t at the talk in question, but: after Shmoocon I was discussing the event with another (male) attendee & mentioned in passing that it was nice to go to a hacker con – or _any_ con, for that matter – and not see naked / sexy women plastered all over the slides / booths / etc. He told me it was mostly that way, but the social media talk had gratuitous hot-chick images in their slides, and that they were totally unnecessary – the presenters could have made the same points by describing their tactics, rather than displaying their bait – and he didn’t think it was appropriate.

    So it’s not just Jane. And it’s not just a woman. I’m glad the women you spoke to weren’t uncomfortable with the content – but their comfort does not invalidate another person’s discomfort.

    (I have no idea why Jane blocked you on Twitter. She doesn’t have to explain herself, or justify it. But if I were in her shoes, and I was catching shit simply for speaking up, I’d be hitting the block button so fast Twitter would suspend me for DoS.)

    This, right here, is why women hesitate to speak up when our community makes us uncomfortable. This is not awesome.

    – Lisa (@llorenzin)

    • Lisa,

      Thanks for your comments. And yes – Jane didn’t have to accept our invitation to catch up in a non-formal environment (lobby) for coffee.
      And as I put it in my original post – I cannot put myself in anyone’s shoes. If something makes them uncomfortable, there’s no argument.
      Nevertheless, saying that the slides were plastered with naked/sexy women is really an exaggeration. One image of a sample from a profile that has been specifically designed (by the students) to show the “party life”, is as far as it got (in terms of something that may be objectionable). The other image (second profile – the tinder one) definitely was not objectionable (at least to my standards) and was taken from a real social media profile of one of the student’s friend (with her consent of course).
      As far as choosing to describe the tactics rather than displaying them – I might agree there, although I’d peg it as personal choice. All other tactics were described AND presented. And as I said – as far as I’m concerned this didn’t cross the line. So that concludes the “visuals” issue?
      More concerning to me, was the claim that the entire talk was objectifying, and in that reference – to the actual talk’s content. When you walk into a red-team/blue-team on social media talk, I believe you should be ready to face the realization that the talk WILL (not just MAY) contain content like that. Namely attack vectors that involve sex. I’ve been practicing this for years, have talked and taught about it, and not once I had a problem. I also think that at some point I’ve had more questionable images on my slides (still no nudity of course). In my book – this was (is) provocation for the sake of provocation.

      So, no – I don’t expect Jane to explain herself. I do however expect her to engage in some form of discourse once she publicly starts such provocation. Otherwise, it’s plain old trolling (which I can unfortunately also fairly well articulate and analyze). And as I said – in my view (which you may find surprising, but is very feminist) this kind of behavior does more harm than good. Just my 2c.

  2. I was in the “Mascots, March Madness & #yogapants: Hacking Goes to College” talk at ShmooCon on Sunday. (I was sitting 4-5 rows back, just behind the ZeroFOX contingent.) I’ve been mulling over the presentation for the past day or so. I haven’t said anything about it publicly, but seeing some of the tweets and a couple blog posts about it, I decided to speak up. Here’s my 2 cents …

    I thought the talk was interesting, and I appreciate Chris Cullison and Zack Allen getting up and presenting. I thought they did a good job covering the topic, explaining the class assignment, what the students went through, and the techniques that worked well. (Aside: I thought they covered the red side in a bit more detail than the blue side. I was happy to hear about the offense, but I would like to have heard a bit more about how to defend against the attacks. But that’s neither here nor there.)

    I was, however, uncomfortable with some aspects of their presentation. I found one of the slides in their presentation to be a poor choice, showing what I consider to be gratuitous pictures of “hot” women. (I don’t have the slides in front of me so I can’t say with 100% certainty, but I don’t think those were from a Tinder profile. It was multiple pictures popping up on a single slide, and I think it was later in the talk than the Tinder profile.) I saw no reason that those pictures needed to be in the talk to explain or convey the work and research they and the students had done. By that point in the talk, they had already explained that they had very good success with “sex sells” attack vector. (Which comes as no surprise for a talk on social media hacking.) But in my opinion, showing pictures of “hot” women does nothing to further or explain that point.

    One of the speakers – I don’t remember which one – commented that the pictures they were showing on that slide weren’t the ones the students actually used; the ones the students used were actually much more risque. He replied to a comment/question from someone in the audience who asked about the actual pictures to find him (presenter) after the talk if he (guy from audience) wanted to see those pictures.

    Saying the pictures shown weren’t the actual, more risque ones makes me think that the presenters realized that the actual pictures would have been inappropriate. What I don’t understand, and what made me uncomfortable, is that they decided that putting pictures of “hot” women in the presentation was OK or was needed for the presentation. I don’t think it was OK, and it came across as simply gratuitous to go along the with the “#yogapants” hashtag in the talk title.

    The exchange about “see me after the talk to see the actual pictures” made me uncomfortable. Not only did it detract from the good research they were presenting, it reminded me of the fraternity atmosphere that I remember from college, which was sexist and objectified women. I was surprised and saddened to run into that in a professional setting.

    I don’t know either of the speakers. I know nothing about their personal opinions and thoughts. I don’t know anything about their backgrounds other than what I read in the abstract. In fact, all I know of them and of ZeroFOX at this point is from this one talk. This was their one shot to make a first impression (on me) for themselves and their company. And the impression I left with is: good research but poor choices in presentation because it made me uncomfortable and came across as less professional than it could have.

    – Mike (@fromagefacile)

    • Great points Mike, and I agree on your observation regarding the choice of images. It’s always a balancing act, and as you noted the choice was NOT to show the actual samples the students used. Whether the alternate was still offensive or not is obviously up for discussion.
      Re your comment on handling the audience (which was indeed looking for more), I agree again. By answering in the same context of the question the rest of the audience was overlooked. Although deferring back to “see me after” is what I would have done. Maybe with less ‘wink-wink’, but still.
      Hope you keep up with the research that’s still to come!

  3. I was in the audience and as an avowed feminist, a woman, and a doctoral researcher in Political Science, I found the presented research revealed that sex sells and that using images of scantily clad women can increase odds that a target will click the link. I have seen more lascivious images on the cover of Maxim at the local newstand. It was presented for the pedagogical purpose and if we cannot present that type of material at a conference, why have the conference?

    What is really problematic is that sexism and anti-feminist/anti-equality speech and actions DO occur and ought to be addressed when it occurs. When one seeks to publicly call out researchers presenting their research in a straightforward manner, it serves the opposite goal; it makes it “bad” to show a woman who chooses to wear an outfit and explain how college-age males were more inclined to click that link. That woman chose that outfit, was photographed and now that picture was used as clickbait. Isn’t it sexist to claim to that the picture is bad, thus invalidating that woman’s choice to dress herself? In the name of research and truth, I would never want to dumb down a presentation based on a picture that can be seen on any newstand and any football game. I think the criticism was not applicable in this situation and it is a shame that this cloud has been cast over an otherwise interesting and educational presentation.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.